Kategorie

At its annual Intel Vision conference, CEO Pat Gelsinger laid out an ambitious roadmap that includes generative artificial intelligence (genAI) at every turn.

Intel’s hardware strategy is centered around its new Gaudi 3 GPU, which was purpose built for training and running massive large language models (LLMs) that underpin genAI in data centers. Intel’s also taking aim with its new line of Xeon 6 processors — some of which will have onboard neural processing units (NPUs or “AI accelerators”) for use in workstations, PCs and edge devices. Intel also claims its Xeon 6 processors will be good enough to run smaller, more customized LLMs, which are expected to grow in adoption.

Intel’s pitch: Its chips will cost less and use a friendlier ecosystem than Nvidia’s.

Gelsinger’s keynote speech called out Nvidia’s popular H100 GPU, saying the Gaudi 3 AI accelerator delivers 50% on average better inference and 40% on average better power efficiency “at a fraction of the cost.” Intel also claims Gaudi 3 outperforms the H100 for training up different types of LLMs — and can do so up to 50% faster.

The server and storage infrastructure needed for training extremely large LLMs will take up an increasing portion of the AI infrastructure market due to the LLMs’ insatiable hunger for compute and data, according to IDC Research. IDC projects that the worldwide AI hardware market (server and storage), including for running generative AI, will grow from $18.8 billion in 2021 to $41.8 billion in 2026, representing close to 20% of the total server and storage
infrastructure market.

Along with its rapidly growing use in data center servers, genAI is expected to drive on-device AI chipsets for PCs and other mobile devices to more than 1.8 billion units by 2030. That’s because laptops, smartphones, and other form factors will increasingly ship with on-device AI capabilities, according to ABI Research. In layman’s terms, Intel wants its Xeon chips (and NPUs) to power those desktop, mobile and edge devices. Intel’s next generation Core Ultra processor — Lunar Lake — is expected to launch later this year, and it will have more than 100 platform tera operations per second (TOPS) and more than 45 NPU TOPS aimed at a new generation of PCs enabled for genAI use.

While NPUs have been around for decades for machine-learning systems, the emergence of OpenAI’s ChatGPT in November 2022 started an arms race among chipmakers to supply the fastest and most capable accelerators to handle rapid genAI adoption.

Intel CEO Pat Gelsinger describes the company’s “AI Everywhere” strategy at its Vision 2024 conference this week. 

Intel Corp.

Nvidia started with a leg up on competitors. Originally designed for computer games, Nvidia’s AI chips — graphics processor units (GPUs) — are its own form of accelerators, but they’re costly compared to standard CPUs. Because its GPUs positioned Nvidia to take advantage of the genAI gold rush, the company quickly became the third-most valuable company in the US. Only Microsoft and Apple surpass it in market valuation.

Industry analysts agree that Intel’s competitive plan is solid, but it has a steep hill to climb to catch Nvidia, a fabless chipmaker that boasts about 90% of the data center AI GPU market and 80% of the entire AI chip market.

Over time, more than half of Nvidia’s data center business will come from AI services run in the cloud, according to Raj Joshi, senior vice president for Moody’s Investors Service. “The lesson has not been lost on cloud providers such as Google and Amazon, each of which have their own GPUs to support AI-centric workloads,” he said.

“Essentially, there’s only one player that’s providing Nvidia and AMD GPUs, and that’s TSMC in Taiwan, which is the leading developer of semiconductors today, both in terms of its technology and its market share,” Joshi said.

Intel is not fabless. It has long dominated the design and manufacture of high-performance CPUs, though recent challenges due to genAI reflect fundamental changes in the computing landscape.

Ironically, Intel’s Gaudi 3 chip is manufactured by TSMC using its 5 nanometer (nm) process technology versus the previous 7nm process.

GenAI in data centers today, edge tomorrow

Data centers will continue to deploy CPUs in large numbers to support Internet services and cloud computing, but they are increasingly deploying GPUs to support AI — and Intel has struggled to design competitive GPUs, according to Benjamin Lee, a professor at the University of Pennsylvania’s School of Engineering and Applied Science.

Intel’s Gaudi 3 GPU and Xeon 6 CPU comes at a lower cost with lesser power needs than Nvidia’s Blackwell H100 and H200 GPUs, according to Forrester Research Senior Analyst Alvin Nguyen. A cheaper, more efficient chip will help mitigate the insatiable power demands of genAI tools while still being “performant,” he said.

Accelerator microprocessors handle two primary purposes for genAI: training and inference. Chips that handle AI training use vast amounts of data to train neural network algorithms that then are expected to make accurate predictions, such as the next word or phrase in a sentence or the next image, for example. So, chips are also required to speedily infer what that answer to a prompt (query) will be.

But LLMs must be trained before they can begin to infer a useful answer to a query. The most popular LLMs provide answers based on massive data sets ingested from the Internet, but they can sometimes be inaccurate or downright bizarre, as is the case with genAI hallucinations, when the tech goes right off the rails.

Gartner Research Vice President Analyst Alan Priestley said while today’s GPUs primarily support the compute-intensive training of massive LLMs, in the future businesses will want smaller genAI LLMs based on proprietary datasets — not information from an ocean outside of a company.

Nvidia’s pricing for now is based on a high-performance product that does an excellent job handling the intensive needs of training up an LLM, Priestley said. And, Nvidia can charge what it wants for the product, but that means it’s relatively easy for rivals to undercut it in the market.

RAG to the rescue

To that end, Intel’s Gelsinger called out Intel’s Xeon 6 processors, which can run retrieval augmented generation processes, or “RAG” for short. RAG optimizes the output of an LLM by referencing (accessing) an external knowledge base outside of the massive online data sets on which genAI LLMs are traditional trained. Using RAG software, an LLM could access a specific organization’s databases or document sets in real time.

For example, a RAG-enabled LLM can provide healthcare system patients with medication advice, appointment scheduling, prescription refills and help in finding physicians and hospital services. RAG can also be used to ingest customer records in support of more accurate and contextually appropriate genAI-powered chatbot responses. RAG also continuously searches for and includes updates from those external sources, meaning the information used is current.

The push for RAG and more narrowly tailored LLMs ties into Intel’s confidential computing and Trusted Domain security efforts, which is aimed at enabling enterprises to utilize their data while also protecting it.

“And for those models, Intel’s story is that you can run them on a much smaller system — a Xeon processor. Or you could run those models on a processor augmented by an NPU,” Priestley said. “Either way, you know you can do it without investing in billions of dollars in huge arrays of hardware infrastructure.”

“Gaudi 3, Granite Rapids or Sierra Forrest Xeon processors can run large language models for the type of things that a business will need,” Priestly said.

Intel is also betting on its use of industry standard Ethernet, pitting it against Nvidia’s reliance on the more proprietary InfiniBand high-performance computer networking bus.

Ethernet or Infiniband?

During a media call this week, Intel’s vice president of Xeon software, Das Kamhout, said he expects the Gaudi 3 chips to be “highly competitive” on pricing, the company’s open standards, and because of its integrated on-chip network, which uses data center friendly Ethernet. The Gaudi 3 has 24 Ethernet ports, which it uses to communicate between other Gaudi chips, and then to communicate between servers.

In contrast, Nvidia uses InfiniBand for networking and a proprietary software platform called Compute Unified Device Architecture (CUDA); the programming model provides an API that lets developers leverage GPU resources without requiring specialized knowledge of GPU hardware. The CUDA platform has become the industry standard for genAI accelerated computing and only works with Nvidia hardware.

Instead of a proprietary platform, Intel is working on creating an open Ethernet networking model for genAI fabrics, and introduced an array of AI-optimized Ethernet solutions at its Vision conference. The company is working through the Ultra Ethernet Consortium (UEC) to design large scale-up and scale-out AI fabrics.

“Increasingly, AI developers…want to get away from using CUDA, which makes the models a lot more transportable,” Gartner’s Priestley said.

A new chip arms race

Neither Intel nor Nvidia have been able to keep up with demand caused by a firestorm of genAI deployments. Nvidia’s GPUs were already in popular, which caused the company’s share price to surge by almost 450% since January 2023. And it continues to push ahead: at its GTC AI Conference last month, Nvidia unveiled the successor to its H100, the Blackwell B200, which delivers up to 20 petaflops of compute power.

Meanwhile, Intel at its Vision conference called out its sixth generation of Xeon processors, which includes the Sierra Forest, the first “E-Core” Xeon 6 processor that will be delivered to customers with 144 cores per socket, “demonstrating enhanced efficiency,” according to IDC Research Vice President Peter Rutten. Intel claims it has received positive feedback from cloud service providers who’ve tested the Sierra Forest chip.

Intel’s newest line of Xeon 6 processors are being targeted for use in the data center, cloud and edge devices, but those chips will handle smaller to mid-sizes LLMs.

Intel also plans to release Granite Rapids processor in the second quarter of the year. “The product, which is being built on Intel 3nm process, shares the same base architecture as that of Sierra Forest, enabling easy portability in addition to the increased core and performance per watt and better memory speed,” Rutten wrote in a report. Intel claims the Granite Rapids processor can run Llama-2 models with up to 70 billion parameters.

Intel’s next-gen Xeon 6 and Core Ultra processors will be key to the company’s ability to provide AI solutions across a variety of use cases, including training, tuning, and inference, in a variety of locations (i.e., end user, edge, and data center), according to Forrester’s Nguyen. But, the Xeon and Core Ultra processors are being marketed at smaller to mid-sized large language models. Intel’s new Gaudi 3 processor is purpose-built for genAI use and will be targeted at LLMs with 176 billion parameters or more, according to an Intel spokseperson.

“The continued AI [chip] supply chain shortages means Intel products will be in demand, guaranteeing work for both Intel products and Intel foundry,” Nguyen said. “Intel’s stated willingness to have other companies use their foundry services and share intellectual property — licensing technology they develop — means their reach may grow” into markets they currently do not currently address, such as mobile.

CPUs and Processors, Generative AI, Intel, Vendors and Providers

The Iranian threat actor known as MuddyWater has been attributed to a new command-and-control (C2) infrastructure called DarkBeatC2, becoming the latest such tool in its arsenal after SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go. "While occasionally switching to a new remote administration tool or changing their C2 framework, MuddyWater’s methods remain constant," Deep

The Iranian threat actor known as MuddyWater has been attributed to a new command-and-control (C2) infrastructure called DarkBeatC2, becoming the latest such tool in its arsenal after SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go. "While occasionally switching to a new remote administration tool or changing their C2 framework, MuddyWater’s methods remain constant," Deep Newsroomhttp://www.blogger.com/profile/[email protected]

One of my favorite Android features right now is something that’s simultaneously new and familiar.

It’s Circle to Search — a clever concept that came out for Google’s Pixel 8 and Pixel 8 Pro phones along with the Galaxy S24 earlier this year and is now in the midst of rolling out to even more Android devices.

Circle to Search is brilliant in both its power and its simplicity: On any device where it’s available, you just press and hold your finger to the bottom-center of the screen to summon it and search for anything you see on your screen at that moment.

The “Circle” part comes into play because after activating the system, you use your finger to circle the specific area of your screen you want to explore — be it an image you want to gain extra context around, a graphic with typically unselectable text that you want to copy, or a word or phrase you want to define or research further.

Google’s Circle to Search system in action on Android.

JR

It’s almost exactly like the powers Google gave us and then soon took back away with a feature called Google Now on Tap way back in 2015. The technology behind the system has grown more advanced in the time since Now on Tap’s debut and subsequent demise, but the core concept is shockingly similar.

And now more than ever, the system is packed with productivity-pushing potential. That’s especially true if you know about some impressive yet completely invisible tricks within it.

[Love learning little-known tech tricks? Check out my free Android Intelligence newsletter and get three new things to try in your inbox every Friday!]

Lemme show ya some of the best Circle to Search magic I’ve uncovered over these past several weeks — and if you’re using a phone that doesn’t have Circle to Search available yet, don’t despair: I’ve got a crafty workaround that’ll let you experience much of the same goodness on any Android device, even if Circle to Search itself isn’t present.

Android Circle to Search trick #1: Zippity zooming

Up first, ever find it tricky to circle or highlight small-sized text on your screen after activating Circle to Search?

Take note: Once the Circle to Search system is present, you can zoom in or out of the frozen area beneath it by pinching two fingers apart or together on the screen.

Zoom-a-zoom-zoom zoomin’, Circle to Search style.

JR Raphael, IDG

Good to know, right?!

Android Circle to Search trick #2: Bar bumpin’

The telltale sign of Circle to Search being active is the Google search bar at the bottom of the screen. But what if the area you want to circle and search is beneath that bar and impossible to access?

You’d never know it, but that Circle to Search bar is actually completely fluid and moveable. Just tap your finger onto it and swipe or flick upward to send it up to the top of the screen instead.

The Circle to Search bar can shift around the screen as needed.

JR Raphael, IDG

Whee!

Android Circle to Search trick #3: Easy adjusting

Here’s a neat one: If you ever find yourself wanting to shift the focus of Circle to Search after activating it and drawing your initial circle, you don’t have to close out your current session and start all over again.

Instead, just tap your finger anywhere on the screen to select another area — or use your finger to draw another circle. It’ll work, and it’ll instantly replace your original focus with whatever new one you select.

It’s simple to change your selection once Circle to Search is active.

JR Raphael, IDG

And speaking of after-the-fact adjustments…

Android Circle to Search trick #4: Fast follow-ups

The next time Circle to Search shows you info around something on your screen and you want to dive even deeper into that same subject, remember this: You can ask follow-up questions related to your selection to seek out even more specifics.

This trick works when you’ve selected a box-outlined area of the screen with Circle to Search — not just highlighted text. If you’ve highlighted text, you’ll need to tap on an open area of the screen without words on it to summon the box tool and then drag it over the appropriate area first.

Once you have an area selected with a box, though, you can simply tap the Google search bar in the panel at the bottom of the screen or tap the microphone icon within the bar to ask a conversational question about whatever Circle to Search is showing you.

See?

Asking a follow-up question in Circle to Search on Android.

JR

And finally…

Android Circle to Search trick #5: On-demand translation

Translating languages on Android has always been relatively easy to do, but it gets even faster with Circle to Search in the mix.

Just fire up Circle to Search while viewing the words you want to translate. Now, next to the search bar at the bottom of the screen, see that circular icon — the one with an “A” inside of it?

The Circle to Search translation button, hiding in plain sight.

JR Raphael, IDG

Tap that. And in the blink of an eye, your phone will pop up a prompt asking what languages you want to use for the translation.

Circle to Search translation lets you select your languages.

JR Raphael, IDG

Select what you want, and bam: Before you can even utter the words “bonjour, pamplemousse,” you’ll have your translation in front of your purty peepers and ready to be read.

A completed translation, by Circle to Search. Facile, non?

JR Raphael, IDG

Pas mal, pamplemousse. Pas mal du tout.

Get even more Googley knowledge with my free Android Intelligence newsletter — three things to know and three things to try every Friday!

Android, Google, Google Search, Mobile

Palo Alto Networks is warning that a critical flaw impacting PAN-OS software used in its GlobalProtect gateways is being actively exploited in the wild. Tracked as CVE-2024-3400, the issue has a CVSS score of 10.0, indicating maximum severity. "A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct

Palo Alto Networks is warning that a critical flaw impacting PAN-OS software used in its GlobalProtect gateways is being actively exploited in the wild. Tracked as CVE-2024-3400, the issue has a CVSS score of 10.0, indicating maximum severity. "A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct Newsroomhttp://www.blogger.com/profile/[email protected]

On March 29, 2024, a single message on the Openwall OSS-security mailing list marked an important discovery for the information security, open source and Linux communities: the discovery of a malicious backdoor in XZ. XZ is a compression utility integrated into many popular distributions of Linux.

The particular danger of the backdoored library lies in its use by the OpenSSH server process sshd. On several systemd-based distributions, including Ubuntu, Debian and RedHat/Fedora Linux, OpenSSH is patched to use systemd features, and as a result has a dependency on this library (note that Arch Linux and Gentoo are unaffected). The ultimate goal of the attackers was most likely to introduce a remote code execution capability to sshd that no one else could use.

Unlike other supply chain attacks we have seen in Node.js, PyPI, FDroid, and the Linux Kernel that mostly consisted of atomic malicious patches, fake packages and typosquatted package names, this incident was a multi-stage operation that almost succeeded in compromising SSH servers on a global scale.

The backdoor in the liblzma library was introduced at two levels. The source code of the build infrastructure that generated the final packages was slightly modified (by introducing an additional file build-to-host.m4) to extract the next stage script that was hidden in a test case file (bad-3-corrupt_lzma2.xz). These scripts in turn extracted a malicious binary component from another test case file (good-large_compressed.lzma) that was linked with the legitimate library during the compilation process to be shipped to Linux repositories. Major vendors in turn shipped the malicious component in beta and experimental builds. The compromise of XZ Utils is assigned CVE-2024–3094 with the maximum severity score of 10.

The timeline of events

2024.01.19 XZ website moved to GitHub pages by a new maintainer (jiaT75)
2024.02.15 “build-to-host.m4” is added to .gitignore
2024.02.23 two “test files” that contained the stages of the malicious script are introduced
2024.02.24 XZ 5.6.0 is released
2024.02.26 commit in CMakeLists.txt that sabotages the Landlock security feature
2024.03.04 the backdoor leads to issues with Valgrind
2024.03.09 two “test files” are updated, CRC functions are modified, Valgrind issue is “fixed”
2024.03.09 XZ 5.6.1 is released
2024.03.28 bug is discovered, Debian and RedHat notified
2024.03.28 Debian rolls back XZ 5.6.1 to 5.4.5-0.2 version
2024.03.29 an email is published on the OSS-security mailing list
2024.03.29 RedHat confirms backdoored XZ was shipped in Fedora Rawhide and Fedora Linux 40 beta
2024.03.30 Debian shuts down builds and starts process to rebuild it
2024.04.02 XZ main developer recognizes the backdoor incident

Backdoored source distributions

xz-5.6.0

MD5 c518d573a716b2b2bc2413e6c9b5dbde SHA1 e7bbec6f99b6b06c46420d4b6e5b6daa86948d3b SHA256 0f5c81f14171b74fcc9777d302304d964e63ffc2d7b634ef023a7249d9b5d875

xz-5.6.1

MD5 5aeddab53ee2cbd694f901a080f84bf1 SHA1 675fd58f48dba5eceaf8bfc259d0ea1aab7ad0a7 SHA256 2398f4a8e53345325f44bdd9f0cc7401bd9025d736c6d43b372f4dea77bf75b8 Initial infection analysis

The XZ git repository contains a set of test files that are used when testing the compressor/decompressor code to verify that it’s working properly. The account named Jia Tan or “jiaT75“, committed two test files that initially appeared harmless, but served as the bootstrap to implant backdoor.

The associated files were:

• bad-3-corrupt_lzma2.xz (86fc2c94f8fa3938e3261d0b9eb4836be289f8ae)
• good-large_compressed.lzma (50941ad9fd99db6fca5debc3c89b3e899a9527d7)

These files were intended to contain shell scripts and the backdoor binary object itself. However, they were hidden within the malformed data, and the attacker knew how to properly extract them when needed.

Stage 1 – The modified build-to-host script

When the XZ release is ready, the official Github repository distributes the project’s source files. Initially, these releases on the repository, aside from containing the malicious test files, were harmless because they don’t get the chance to execute. However, the attacker appears to have only added the malicious code that bootstrap the infection when the releases were sourced from https://xz[.]tukaani.org, which was under the control of Jia Tan.

This URL is used by most distributions, and, when downloaded, it comes with a file named build-to-host.m4 that contains malicious code.

build-to-host.m4 (c86c8f8a69c07fbec8dd650c6604bf0c9876261f) is executed during the build process and executes a line of code that fixes and decompresses the first file added to the tests folder:

Deobfuscated line of code in build-to-host.m4

This line of code replaces the “broken” data from bad-3-corrupt_lzma2.xz using the tr command, and pipes the output to the xz -d command, which decompresses the data. The decompressed data contains a shell script that will be executed later using /bin/bash, triggered by this .m4 file.

Stage 2 – The injected shell script

The malicious script injected by the malicious .m4 file verifies that it’s running on a Linux machine and also that it’s running inside the intended build process.

Injected script contents

To execute the next stage, it uses good-large_compressed.lzma, which is indeed compressed correctly with XZ, but contains junk data inside the decompressed data.

The junk data removal procedure is as follows: the eval function executes the head pipeline, with each head command either ignoring the next 1024 bytes or extracting the next 2048 or 724 bytes.

In total, these commands extracted 33,492 bytes (2048*16 + 724 bytes). The tail command then retains the final 31,265 bytes of the file and ignores the rest.

Then, the tr command applies a basic substitution to the output to deobfuscate it. The second XZ command decompresses the transformed bytes as a raw lzma stream, after which the result is piped into shell.

Stage 3 – Backdoor extraction

The last stage shell script performs many checks to ensure that it is running in the expected environment, such as whether the project is configured to use IFUNC (which will be discussed in the next sections).

Many of the other checks performed by this stage include determining whether GCC is used for compilation or if the project contains specific files that will be used by the script later on.

In this stage, it extracts the backdoor binary code itself, an object file that is currently hidden in the same good-large_compressed.lzma file, but at a different offset.

The following code handles this:

Partial command used by the last script stage

The extraction process operates through a sequence of commands, with the result of each command serving as the input for the next one. The formatted one-liner code is shown below:

Formatted backdoor extraction one-liner

Initially, the file good-large_compressed.lzma is extracted using the XZ tool itself. The subsequent steps involve calling a chain of head calls with the “eval $i” function (same as the stage 3 extraction).

Then a custom RC4-like algorithm is used to decrypt the binary data, which contains another compressed file. This compressed file is also extracted using the XZ utility. The script then removes some bytes from the beginning of the decompressed data using predefined values and saves the result to disk as liblzma_la-crc64-fast.o, which is the backdoor file used in the linking process.

Finally, the script modifies the function is_arch_extension_supported from the crc_x86_clmul.h file in liblzma, to replace the call to the __get_cpuid function with _get_cpuid, removing one underscore character.

This modification allows it to be linked into the library (we’ll discuss this in more detail in the next section). The whole build infection chain can be summarized in the following scheme:

Binary backdoor analysis A stealth loading scenario

In the original XZ code, there are two special functions used to calculate the CRC of the given data: lzma_crc32 and lzma_crc64. Both of these functions are stored in the ELF symbol table with type IFUNC, a feature provided by the GNU C Library (GLIBC). IFUNC allows developers to dynamically select the correct function to use. This selection takes place when the dynamic linker loads the shared library.

The reason XZ uses this is that it allows for determining whether an optimized version of the lzma_crcX function should be used or not. The optimized version requires special features from modern processors (CLMUL, SSSE3, SSE4.1). These special features need to be verified by issuing the cpuid instruction, which is called using the __get_cpuid wrapper/intrinsic provided by GLIBC, and it’s at this point the backdoor takes advantage to load itself.

The backdoor is stored as an object file, and its primary goal is to be linked to the main executable during compilation. The object file contains the _get_cpuid symbol, as the injected shell scripts remove one underscore symbol from the original source code, which means that when the code calls _get_cpuid, it actually calls the backdoor’s version of it.

Backdoor code entry point

Backdoor code analysis

The initial backdoor code is invoked twice, as both lzma_crc32 and lzma_crc64 use the same modified function (_get_cpuid). To ensure control over this, a simple counter is created to verify that the code has already been executed. The actual malicious activity starts when the lzma_crc64 IFUNC invokes _get_cpuid, sees the counter value 1 indicating that that the function has already been accessed, and initiates one final step to redirect to the true entry point of this malware.

Backdoor initialization

To initialize the malicious code, the backdoor first initializes a couple of structures that hold core information about the current running process. Primarily, it locates the Global Offset Table (GOT) address using hardcoded offsets, and uses this information to find the cpuid pointer inside it.

GOT modification code

The GOT contains the offsets of symbols, including the cpuid wrapper. The backdoor then swaps the pointers to the main malware function, and calls it as if it were calling cpuid.

Core behavior

The main goal of the backdoor is to successfully hook specific functions that will allow it to monitor every connection to the infected machine. The targeted functions include:

Targeted function Description RSA_public_decrypt Used by libcrypto to decrypt a ciphertext signed by a private key EVP_PKEY_set1_RSA Used by libcrypto to set the RSA key of a given context RSA_get0_key Used by libcrypto to retrieve an RSA key

However, hooking all these functions is not a simple and straightforward task for the backdoor. It involves accessing many internal structures and manipulating process-specific structures until it achieves its goal, and it also needs to be as stealthy as possible, which means that the malicious code contains multiple checks to avoid being analyzed.

Execution environment check

It first parses ld-linux (dynamic linker), which is primarily responsible for dynamically resolving symbol addresses in memory. It also extracts various information about the environment and verifies that the current process the backdoor is running in matches its execution criteria, which are:

• The current process is /usr/bin/sshd
• Check if the kill switch is present

It extracts the name of the current process from argv[0] and also parses all the process environment variables to see if any of them are present in its internal string table. If a match is found, or the process is not sshd, the malware halts its execution.

Process environment check

The only variable inside its own table is yolAbejyiejuvnup=Evjtgvsh5okmkAvj, which in this context serves as a kill switch.

The trie structure

One of the distinctive features of the backdoor is the use of a single trie structure for string operations. Instead of directly comparing strings or using string hashes to match a particular constant (for example, the name of a library function), the code performs a trie lookup, and checks if the result is equal to a certain constant number. For example, the magic value for the ELF header results in the trie returning 0x300, and the name of the system function is matched with a return value of 0x9F8. Trie is not just used for comparisons: certain functions that use pointers to strings (for example, ssh-2.0) search for these strings in the host binary using the trie, so there will be no suspicious data in the backdoor’s body.

The implementation of the trie uses 16-byte bitmasks, each half corresponding to the byte input ranges 0x00-0x3F and 0x40-0x7F, and 2-byte trie leaf nodes, 3 bits of which are flags (direction, termination) and the rest is reserved for the value (or the location of the next node).

Part of the trie lookup function that performs the bitmap match

Symbol resolver

There are at least three symbol resolver-related routines used by the backdoor to locate the ELF Symbol structure, which holds information such as the symbol name and its offset. All symbol resolver functions receive a key to be searched in the trie.

Symbol resolver example

One of the backdoor resolver functions iterates through all symbols and verifies which one has the desired key. If it is found, it returns the Elf64_Sym structure, which will later be used to populate an internal structure of the backdoor that holds all the necessary function pointers. This process is similar to that commonly seen in Windows threats with API hashing routines.

The backdoor searches many functions from the libcrypto (OpenSSL) library, as these will be used in later encryption routines. It also keeps track of how many functions it was able to find and resolve; this determines whether it is executing properly or should stop.

Another interesting symbol resolver abuses the lzma_alloc function, which is part of the liblzma library itself. This function serves as a helper for developers to allocate memory efficiently using the default allocator (malloc) or a custom one. In the case of the XZ backdoor, this function is abused to make use of a fake allocator. In reality, it functions as another symbol resolver. The parameter intended for “allocation size” is, in fact, the symbol key inside the trie. This trick is meant to complicate backdoor analysis.

Symbol resolver using a fake allocator structure

The backdoor dynamically resolves its symbols while executing; it doesn’t necessarily do so all at once or only when it needs to use them. The resolved symbols/functions range from legitimate OpenSSL functions to functions such as system, which is used to execute commands on the machine.

The Symbind hook

As mentioned earlier, the primary objective of the backdoor initialization is to successfully hook functions. To do so, the backdoor makes use of rtdl-audit, a feature of the dynamic linker that enables the creation of custom shared libraries to be notified when certain events occur within the linker, such as symbol resolution. In a typical scenario, a developer would create a shared library following the rtdl-audit manual. However, the XZ backdoor opts to perform a runtime patch on the already registered (default) interfaces loaded in memory, thereby hijacking the symbol-resolving routine.

dl-audit runtime patch

The maliciously crafted structure audit_iface, stored in the dl_audit global variable within the dynamic linker’s memory area, contains the symbind64 callback address, which is invoked by the dynamic linker. It sends all the symbol information to the backdoor control, which is then used to obtain a malicious address for the target functions, thus achieving hooking.

Hooking placement inside the Symbind modified callback

The addresses for dl_audit and dl_naudit, which holds the number of audit interfaces available, are obtained by disassembling both the dl_main and dl_audit_symbind_alt functions. The backdoor contains an internal minimalistic disassembler used for instruction decoding. It makes extensive use of it, especially when hunting for specific values like the *audit addresses.

dl_naudit hunting code

The dl_naudit address is found by one of the mov instructions within the dl_main function code that accesses it. With that information, the backdoor hunts for access to a memory address and saves it.

It also verifies if the memory address acquired is the same address as the one accessed by the dl_audit_symbind_alt function on a given offset. This allows it to safely assume that it has indeed found the correct address. After it finds the dl_naudit address, it can easily calculate where dl_audit is, since the two are stored next to each other in memory.

Conclusion

In this article, we covered the entire process of backdooring liblzma (XZ), and delved into a detailed analysis of the binary backdoor code, up to achieving its principal goal: hooking.

It’s evident that this backdoor is highly complex and employs sophisticated methods to evade detection. These include the multi-stage implantation in the XZ repository, as well as the complex code contained within the binary itself.

There is still much more to explore about the backdoor’s internals, which is why we have decided to present this as Part I of the XZ backdoor series.

Kaspersky products detect malicious objects related to the attack as HEUR:Trojan.Script.XZ and Trojan.Shell.XZ. In addition, Kaspersky Endpoint Security for Linux detects malicious code in SSHD process memory as MEM:Trojan.Linux.XZ (as part of the Critical Areas Scan task).

Indicators of compromise Yara rules rule liblzma_get_cpuid_function { meta: description = "Rule to find the malicious get_cpuid function CVE-2024-3094" author = "Kaspersky Lab" strings: $a = { F3 0F 1E FA 55 48 89 F5 4C 89 CE 53 89 FB 81 E7 00 00 00 80 48 83 EC 28 48 89 54 24 18 48 89 4C 24 10 4C 89 44 24 08 E8 ?? ?? ?? ?? 85 C0 74 27 39 D8 72 23 4C 8B 44 24 08 48 8B 4C 24 10 45 31 C9 48 89 EE 48 8B 54 24 18 89 DF E8 ?? ?? ?? ?? B8 01 00 00 00 EB 02 31 C0 48 83 C4 28 5B 5D C3 } condition: $a } Known backdoored libraries

Debian Sid liblzma.so.5.6.0
4f0cf1d2a2d44b75079b3ea5ed28fe54
72e8163734d586b6360b24167a3aff2a3c961efb
319feb5a9cddd81955d915b5632b4a5f8f9080281fb46e2f6d69d53f693c23ae

Debian Sid liblzma.so.5.6.1
53d82bb511b71a5d4794cf2d8a2072c1
8a75968834fc11ba774d7bbdc566d272ff45476c
605861f833fc181c7cdcabd5577ddb8989bea332648a8f498b4eef89b8f85ad4

Related files
d302c6cb2fa1c03c710fa5285651530f, liblzma.so.5
4f0cf1d2a2d44b75079b3ea5ed28fe54, liblzma.so.5.6.0
153df9727a2729879a26c1995007ffbc, liblzma.so.5.6.0.patch
53d82bb511b71a5d4794cf2d8a2072c1, liblzma.so.5.6.1
212ffa0b24bb7d749532425a46764433, liblzma_la-crc64-fast.o

Analyzed artefacts
35028f4b5c6673d6f2e1a80f02944fb2, bad-3-corrupt_lzma2.xz
b4dd2661a7c69e85f19216a6dbbb1664, build-to-host.m4
540c665dfcd4e5cfba5b72b4787fec4f, good-large_compressed.lzma

Cybersecurity researchers have discovered a credit card skimmer that's concealed within a fake Meta Pixel tracker script in an attempt to evade detection. Sucuri said that the malware is injected into websites through tools that allow for custom code, such as WordPress plugins like Simple Custom CSS and JS or the "Miscellaneous Scripts" section of the Magento admin panel. "

Cybersecurity researchers have discovered a credit card skimmer that's concealed within a fake Meta Pixel tracker script in an attempt to evade detection. Sucuri said that the malware is injected into websites through tools that allow for custom code, such as WordPress plugins like Simple Custom CSS and JS or the "Miscellaneous Scripts" section of the Magento admin panel. "Newsroomhttp://www.blogger.com/profile/[email protected]

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued an emergency directive (ED 24-02) urging federal agencies to hunt for signs of compromise and enact preventive measures following the recent compromise of Microsoft's systems that led to the theft of email correspondence with the company. The attack, which came to light earlier this year, has been

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued an emergency directive (ED 24-02) urging federal agencies to hunt for signs of compromise and enact preventive measures following the recent compromise of Microsoft's systems that led to the theft of email correspondence with the company. The attack, which came to light earlier this year, has been Newsroomhttp://www.blogger.com/profile/[email protected]

Far from shrinking, the scale of mercenary surveillance companies paid by governments to spy on journalists, human rights campaigners, and other members of the civil state is growing.

Today Apple warned iPhone users in an astonishing 92 nations that attacks against them have taken place. (The company sends out these notifications several times each year.) Without opposition, governments and other entities will not quit this unconstrained descent into becoming a surveillance society.

You are a surveillance target

According to TechCrunch, Apple wrote users: “Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID. This attack is likely targeting you specifically because of who you are or what you do. Although it’s never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning — please take it seriously.” 

The latest rash of warnings means Apple has now identified 150 nations in which such attacks have taken place. There are 196 nations on the planet.

“Since 2021, we have sent Apple threat notifications multiple times a year as we have detected these attacks, and to date we have notified users in over 150 countries in total,” Apple said.

Though it may not be aware of every attack, its security teams work around the clock to protect customers against what it has until recently described as “state sponsored mercenary surveillance.” Many of the firms engaged in selling snooping software are, like NSO Group, Israel-based. 

What to do if you receive a warning 

If you have received a threat notification, you should act immediately. Amnesty International’s Security Lab tells us that an Apple threat notification should be seen as a very strong indication that you are being attacked. 

Amnesty’s own forensic tests with individual devices that have received such notifications confirm they should be taken seriously, and if you have received one, you should take immediate steps to remediate and secure your digital existence. 

Apple advises that you secure expert help, such as the rapid-response emergency security assistance provided by the Digital Security Helpline at the non-profit Access Now. Amnesty International and other Security Lab civil society partners are also equipped to provide support to individuals who received the Apple notifications. 

Are these attacks proliferating?

Reuters also notes that Apple has changed how it describes the attacks. The company now tells people that they may have been victims of “mercenary spyware attack,” rather than framing the assault as being “state-sponsored” as it did before. 

While this is described as a reaction to government reluctance to be linked with such attacks, it is also plausible to believe that it reflects continued growth in the surveillance business. As I’ve warned before, today’s expensive state-sponsored attacks become tomorrow’s $100 bargain deal on the dark web. These offensive technologies are utterly insidious and rot the center of democracy.

Apple also updated its Apple Support article concerning mercenary spyware and the threat notifications it has shared. “Mercenary spyware attacks cost millions of dollars and often have a short shelf life, making them much harder to detect and prevent,” the company said. “The vast majority of users will never be targeted by such attacks.”

Ivan Krstić, head of Apple security engineering and architecture, has previously promised to keep fighting back: “Apple runs one of the most sophisticated security engineering operations in the world, and we will continue to work tirelessly to protect our users from abusive state-sponsored actors like NSO Group.”

That said, a report today from Interpres Security seems to confirm the growing magnitude of these threats.

Security advice

In an increasingly challenging security environment, everyone online should protect themselves:

• Update devices with latest software.
• Use complex passcodes.
• Use two-factor authentication.
• Protect their Apple ID with a strong password.
• Install apps only from trusted sources, such as the App Store.
• Use strong and unique passwords.
• Never click on links or attachments from people you do not know.

Finally, if you think you may be a target, use Lockdown Mode.

Apple developed this mode in response to a wave of sophisticated attacks (Pegasus, Devils Tongue and Hermit). Lockdown Mode provides a great deal of protection at the cost of some utility; Apple is expected to continue to invest in securing its platforms, even against the designed in weaknesses it is being forced to adopt in reaction to some regulations, particularly in Europe and the UK.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

Apple, iOS Security, Mobile Security

GitGuardian is famous for its annual State of Secrets Sprawl report. In their 2023 report, they found over 10 million exposed passwords, API keys, and other credentials exposed in public GitHub commits. The takeaways in their 2024 report did not just highlight 12.8 million new exposed secrets in GitHub, but a number in the popular Python package repository PyPI. PyPI,

A threat actor tracked as TA547 has targeted dozens of German organizations with an information stealer called Rhadamanthys as part of an invoice-themed phishing campaign. "This is the first time researchers observed TA547 use Rhadamanthys, an information stealer that is used by multiple cybercriminal threat actors," Proofpoint said. "Additionally, the actor appeared to

GitGuardian is famous for its annual State of Secrets Sprawl report. In their 2023 report, they found over 10 million exposed passwords, API keys, and other credentials exposed in public GitHub commits. The takeaways in their 2024 report did not just highlight 12.8 million new exposed secrets in GitHub, but a number in the popular Python package repository PyPI. PyPI, The Hacker Newshttp://www.blogger.com/profile/[email protected]

A threat actor tracked as TA547 has targeted dozens of German organizations with an information stealer called Rhadamanthys as part of an invoice-themed phishing campaign. "This is the first time researchers observed TA547 use Rhadamanthys, an information stealer that is used by multiple cybercriminal threat actors," Proofpoint said. "Additionally, the actor appeared to Newsroomhttp://www.blogger.com/profile/[email protected]

**Microsoft ve Windows 11 všem zapíná druhou část Momentu 5 **Do Windows 10 míří Spotlight, který automaticky mění tapety **Dubnové povinné aktualizace opravují 149 zranitelných míst

Spreadsheets can be vast, often containing thousands of rows of repetitive data that makes them impossible to parse at a glance. Fortunately, Excel offers two powerful features — PivotTables and PivotCharts — for summarizing data sets and presenting them visually.

What is a PivotTable?

A PivotTable allows you to take an extensive data set with multiple columns and rows and summarize that data in a compact, easy-to-read table. You can create multiple PivotTables from the same data set, each highlighting different aspects of the data. And PivotTables are interactive — you can easily manipulate them to filter or rearrange the data shown in one.

What is a PivotChart?

A PivotChart is a chart visualization based on the summarized information in a PivotTable. You can choose from a wide variety of chart types to best display a PivotTable’s data. The combinations you can create using these tools are countless.

In this tutorial, we will give you step-by-step instructions on how to get started with PivotTables and PivotCharts, and you can apply these steps to any data set you work with in Excel. We’ll demonstrate in Excel for Windows under a Microsoft 365 subscription; if you’re using a different version of Excel, your interface might look a little different and the steps might vary slightly, but things work more or less the same way.

How to create a PivotTable in Excel

We will use the data set shown below as our starting point:

The starting data set for our PivotTable examples.

Shimon Brathwaite / IDG

To get started, select any cell in the data set, then go to the Ribbon toolbar at the top of the spreadsheet and select Insert. At the far left of the toolbar, select the PivotTable button.

A pop-up appears that lets you select the range of data you want to analyze and where to place the PivotTable. Make sure the whole data set is selected and that the PivotTable will be placed in a new worksheet, then click OK.

Starting a PivotTable in Excel.

Shimon Brathwaite / IDG

Now we are brought to the starting page for creating a PivotTable. From here, we can begin constructing our first data summary.

Your blank canvas for PivotTable creation.

Shimon Brathwaite / IDG

First, we will look at the total quantity of each ordered product. To do this, let’s check the checkbox next to Quantity in the PivotTable Fields sidebar on the right. This will move Quantity into the Values area at the bottom right of the sidebar. Next, drag Product_# into the Rows area to sort by Product_#. The screenshot below shows the result.

This PivotTable shows the quantity of each product type sold.

Shimon Brathwaite / IDG

Here we see a summary of the quantity of products sold by product number and the total quantity of all products sold. You can do this sort of simple analysis with any two variables, but you can also do more fine-grained summaries.

Next, we will add another layer to our analysis by displaying quantity of products by product number and categorizing them by order category. To do this, drag Order_Category into the Rows section of the sidebar and make sure that Order_Category is on top. (You can reorder the items in any area of the sidebar by dragging and dropping them.)

In this version of the PivotTable, another element is shown: Order_Category.

Shimon Brathwaite / IDG

It’s important to understand that you can manipulate how information is shown in the table by the order in which you place the items in any section of the PivotTable. Since we put Order_Category on top of the Rows area, the PivotTable is summarized by that first and then by Product_# inside. To show the opposite sorting, move Product_# to the top in the Rows section and see the result.

Reversing how Product_# and Order_Category are displayed in the PivotTable.

Shimon Brathwaite / IDG

So far, we have only used the Rows section of the PivotTable builder, but we can show even more information using the Rows and Columns sections together. To demonstrate, we will display the total quantity of products sold at different unit prices. To do this, uncheck the Order_Category checkbox at the top of the sidebar, keep Product_# in the Rows section, and then drag Unit_Price into the Columns section.

The PivotTable now has columns for different unit prices.

Shimon Brathwaite / IDG

We have created a summary showing the amount of each product sold at a particular unit price. Now, let’s say we don’t want to view all of the products at the same time. We can limit the products shown using the filtering tools built into PivotTables.

First, let’s filter our results by Products 1, 2, and 3. Click the downward triangle icon next to Row Labels. In the filtering pop-up that appears, select Products 1, 2, and 3. The PivotTable will change to show only those three products.

Filtering the PivotTable to show only Products 1, 2, and 3.

Shimon Brathwaite / IDG

Once you are done, select the Clear Filter button in the pop-up, and the full PivotTable reappears.

Next, let’s filter by unit price using the Column Labels filter option. Select that filter and select the $4.00, $5.00, & $7.00 options to change your PivotTable.

Filtering the PivotTable to show only items that cost $4.00, $5.00, and $7.00.

Shimon Brathwaite / IDG

You can also use the pop-up to sort the items in the PivotTable by various fields, and to filter using conditions such as “Greater Than” or “Contains.” It’s worth spending a little time playing with the options to see what happens; just remember to click Clear Filter when you’re done.

Before we move on to PivotCharts, let’s discuss the Filters area of the sidebar. This can be used to filter out specific items from the PivotTable, but you may find it simpler to remove the field altogether or use the filtering and sorting options that we discussed earlier for more granular control. However, you can see how this box functions by moving the “Product_#” field to the Filters area.

Another way to filter PivotTable data is by using the Filters area in the PivotTable Fields sidebar.

Shimon Brathwaite / IDG

How to create a PivotChart in Excel

Now, let’s move on to how to create data visualizations using PivotCharts. To add a PivotChart to the main data set, go back to the worksheet that contains the main data set, place your cursor in a cell that contains data, and select Insert>  PivotChart in the Ribbon.

Starting a PivotChart in Excel.

Shimon Brathwaite / IDG

Hit OK on the dialog box that pops up, and the familiar PivotTable builder interface appears, with an additional placeholder for a PivotChart.

Your blank canvas for PivotChart creation.

Shimon Brathwaite / IDG

We will summarize the quantity of items sold by order category and unit price. In the sidebar, check Quantity to add it to the Values area, then drag Order_Category and Unit_Price to the Axis (Categories) area, with Order_Category on top. This will create a PivotTable and a column chart displaying the information we have selected.

The PivotChart graphically displays the information from the PivotTable at left.

Shimon Brathwaite / IDG

But you’re not limited to column charts; there are multiple types of charts to choose from. Right-click the column chart, select Change Chart Type, and select Pie > 3-D Pie to see a different chart example.

Choosing a different chart type for the PivotChart.

Shimon Brathwaite / IDG

The result will look like the screenshot below.

The PivotChart in 3-D pie chart form.

Shimon Brathwaite / IDG

You can filter or sort the data in the PivotTable that a PivotChart is based on, and those changes will be reflected in the PivotChart. To see what this looks like, click the minus sign to the left of Large Order in the PivotTable to the left of the chart. The Large Order section of the PivotTable collapses and shows only the large order total, without breaking it down by unit price. The same thing happens in the PivotChart to the right.

The PivotChart with Large Orders collapsed into a single slice of pie.

Shimon Brathwaite / IDG

Now you see how using PivotTables and PivotCharts lets you create data summaries and visualizations to display specific data quickly and easily. These options can be used on data sets of almost any size and easily customized to show only very specific information. The combinations that you can create using PivotTables and PivotCharts are almost endless, and we encourage you to test them out on any data sets that you work with in Excel.

Microsoft 365, Microsoft Excel, Microsoft Office, Office Suites, Productivity Software

Apple on Wednesday revised its documentation pertaining to its mercenary spyware threat notification system to mention that it alerts users when they may have been individually targeted by such attacks. It also specifically called out companies like NSO Group for developing commercial surveillance tools such as Pegasus that are used by state actors to pull off "individually targeted

Apple on Wednesday revised its documentation pertaining to its mercenary spyware threat notification system to mention that it alerts users when they may have been individually targeted by such attacks. It also specifically called out companies like NSO Group for developing commercial surveillance tools such as Pegasus that are used by state actors to pull off "individually targeted Newsroomhttp://www.blogger.com/profile/[email protected]